fre, 2003-02-14 kl. 00:53 skrev Chris Toshok:
> > ldapsearch should never hang, but return a result - whatever that is. > > There's a list of errors in ldap.h as long as your arm to cope with all > > ldap eventualities (not poorly configured DNS or the like, though). > > In conditions where it's possible to induce a hang, ldapsearch will > *always* hang unless you give it an explicit timeout. It defaults to > infinite wait. but that doesn't matter, as it turns out in this > instance i was just being stupid and using -ZZ on the command line > instead of -H ldaps://.... I get the successful (but empty) search with > that. That's why I keep on going on about upgrading Openldap. Look inside ldap.h at the 80-90 errors, especially. > It's troubling that I have essentially the same set up here (SSL/TLS set > to Always, port set to 636 - I don't even allow connections on 389 on > this particular box) and it works fine for me. The normal procedure for TLS is for the client to connect to 389 and do a starttls. slapd from Openldap 2.1.x can be configured so that it won't initiate a bind unless starttls is given. > My point with the above line was that we can't do all the nice stuff the > mailer can wrt self signed certs, popping up dialogs, asking for user > confirmation and all that. There's no way we can recover from what the > ldap library considers to be a fatal error, or (as far as I can tell, > please correct me if I'm wrong) cause a connection to fail because of > what we/the user considers a fatal error. We're stuck with the openldap > client lib's policy decisions. I can't comment there, because I don't know Ximian's policy. All I can say that could possibly be of interest, is that GQ for Gnome, for example, uses the Openssl and Openldap libldap and liblber libs and 0.7.0beta2 has everything except SASL working at the moment (development would seem to be dead for the time being). The code is available, I compile my own. As time goes on and more and more people/orgs start using ldap in one form or another, there will be more and more demand. Minimum security is SSL on port 636 (eDirectory, Windows AD) and SASL in one form or another will become ever more common. With regard to certs, Openldap 2.1.x is picky and CA-signed certs are de rigeur. Nothing to stop a site becoming its own CA, though. Best, Tony -- Tony Earnshaw When you rob a person of his illusions, you are robbing him of his happiness e-post: [EMAIL PROTECTED] www: http://www.billy.demon.nl _______________________________________________ evolution maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution
